mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-05 16:30:23 +00:00
Config: fail closed invalid config loads (#39071)
* Config: fail closed invalid config loads * CLI: keep diagnostics on explicit best-effort config * Tests: cover invalid config best-effort diagnostics * Changelog: note invalid config fail-closed fix * Status: pass best-effort config through status-all gateway RPCs * CLI: pass config through gateway secret RPC * CLI: skip plugin loading from invalid config * Tests: align daemon token drift env precedence
This commit is contained in:
Vincent Koc
@@ -2,7 +2,7 @@ import { describe, expect, it, vi } from "vitest";
|
||||
import type { RuntimeEnv } from "../runtime.js";
|
||||
import { withEnvAsync } from "../test-utils/env.js";
|
||||
|
||||
const loadConfig = vi.fn(() => ({
|
||||
const readBestEffortConfig = vi.fn(async () => ({
|
||||
gateway: {
|
||||
mode: "remote",
|
||||
remote: { url: "wss://remote.example:18789", token: "rtok" },
|
||||
@@ -94,7 +94,7 @@ const probeGateway = vi.fn(async (opts: { url: string }) => {
|
||||
});
|
||||
|
||||
vi.mock("../config/config.js", () => ({
|
||||
loadConfig,
|
||||
readBestEffortConfig,
|
||||
resolveGatewayPort,
|
||||
}));
|
||||
|
||||
@@ -150,8 +150,7 @@ function makeRemoteGatewayConfig(url: string, token = "rtok", localToken = "ltok
|
||||
}
|
||||
|
||||
function mockLocalTokenEnvRefConfig(envTokenId = "MISSING_GATEWAY_TOKEN") {
|
||||
// pragma: allowlist secret
|
||||
loadConfig.mockReturnValueOnce({
|
||||
readBestEffortConfig.mockResolvedValueOnce({
|
||||
secrets: {
|
||||
providers: {
|
||||
default: { source: "env" },
|
||||
@@ -164,7 +163,7 @@ function mockLocalTokenEnvRefConfig(envTokenId = "MISSING_GATEWAY_TOKEN") {
|
||||
token: { source: "env", provider: "default", id: envTokenId },
|
||||
},
|
||||
},
|
||||
} as unknown as ReturnType<typeof loadConfig>);
|
||||
} as never);
|
||||
}
|
||||
|
||||
async function runGatewayStatus(
|
||||
@@ -266,7 +265,7 @@ describe("gateway-status command", () => {
|
||||
MISSING_GATEWAY_PASSWORD: undefined,
|
||||
},
|
||||
async () => {
|
||||
loadConfig.mockReturnValueOnce({
|
||||
readBestEffortConfig.mockResolvedValueOnce({
|
||||
secrets: {
|
||||
providers: {
|
||||
default: { source: "env" },
|
||||
@@ -280,7 +279,7 @@ describe("gateway-status command", () => {
|
||||
password: { source: "env", provider: "default", id: "MISSING_GATEWAY_PASSWORD" },
|
||||
},
|
||||
},
|
||||
} as unknown as ReturnType<typeof loadConfig>);
|
||||
} as never);
|
||||
|
||||
await runGatewayStatus(runtime, { timeout: "1000", json: true });
|
||||
},
|
||||
@@ -307,7 +306,7 @@ describe("gateway-status command", () => {
|
||||
CLAWDBOT_GATEWAY_TOKEN: undefined,
|
||||
},
|
||||
async () => {
|
||||
loadConfig.mockReturnValueOnce({
|
||||
readBestEffortConfig.mockResolvedValueOnce({
|
||||
secrets: {
|
||||
providers: {
|
||||
default: { source: "env" },
|
||||
@@ -320,7 +319,7 @@ describe("gateway-status command", () => {
|
||||
token: "${CUSTOM_GATEWAY_TOKEN}",
|
||||
},
|
||||
},
|
||||
} as unknown as ReturnType<typeof loadConfig>);
|
||||
} as never);
|
||||
|
||||
await runGatewayStatus(runtime, { timeout: "1000", json: true });
|
||||
},
|
||||
@@ -463,7 +462,7 @@ describe("gateway-status command", () => {
|
||||
it("skips invalid ssh-auto discovery targets", async () => {
|
||||
const { runtime } = createRuntimeCapture();
|
||||
await withEnvAsync({ USER: "steipete" }, async () => {
|
||||
loadConfig.mockReturnValueOnce(makeRemoteGatewayConfig("", "", "ltok"));
|
||||
readBestEffortConfig.mockResolvedValueOnce(makeRemoteGatewayConfig("", "", "ltok"));
|
||||
discoverGatewayBeacons.mockResolvedValueOnce([
|
||||
{ tailnetDns: "-V" },
|
||||
{ tailnetDns: "goodhost" },
|
||||
@@ -481,7 +480,7 @@ describe("gateway-status command", () => {
|
||||
it("infers SSH target from gateway.remote.url and ssh config", async () => {
|
||||
const { runtime } = createRuntimeCapture();
|
||||
await withEnvAsync({ USER: "steipete" }, async () => {
|
||||
loadConfig.mockReturnValueOnce(
|
||||
readBestEffortConfig.mockResolvedValueOnce(
|
||||
makeRemoteGatewayConfig("ws://peters-mac-studio-1.sheep-coho.ts.net:18789"),
|
||||
);
|
||||
resolveSshConfig.mockResolvedValueOnce({
|
||||
@@ -507,7 +506,9 @@ describe("gateway-status command", () => {
|
||||
it("falls back to host-only when USER is missing and ssh config is unavailable", async () => {
|
||||
const { runtime } = createRuntimeCapture();
|
||||
await withEnvAsync({ USER: "" }, async () => {
|
||||
loadConfig.mockReturnValueOnce(makeRemoteGatewayConfig("wss://studio.example:18789"));
|
||||
readBestEffortConfig.mockResolvedValueOnce(
|
||||
makeRemoteGatewayConfig("wss://studio.example:18789"),
|
||||
);
|
||||
resolveSshConfig.mockResolvedValueOnce(null);
|
||||
|
||||
startSshPortForward.mockClear();
|
||||
@@ -523,7 +524,9 @@ describe("gateway-status command", () => {
|
||||
it("keeps explicit SSH identity even when ssh config provides one", async () => {
|
||||
const { runtime } = createRuntimeCapture();
|
||||
|
||||
loadConfig.mockReturnValueOnce(makeRemoteGatewayConfig("wss://studio.example:18789"));
|
||||
readBestEffortConfig.mockResolvedValueOnce(
|
||||
makeRemoteGatewayConfig("wss://studio.example:18789"),
|
||||
);
|
||||
resolveSshConfig.mockResolvedValueOnce({
|
||||
user: "me",
|
||||
host: "studio.example",
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import { withProgress } from "../cli/progress.js";
|
||||
import { loadConfig, resolveGatewayPort } from "../config/config.js";
|
||||
import { readBestEffortConfig, resolveGatewayPort } from "../config/config.js";
|
||||
import { probeGateway } from "../gateway/probe.js";
|
||||
import { discoverGatewayBeacons } from "../infra/bonjour-discovery.js";
|
||||
import { resolveSshConfig } from "../infra/ssh-config.js";
|
||||
@@ -35,7 +35,7 @@ export async function gatewayStatusCommand(
|
||||
runtime: RuntimeEnv,
|
||||
) {
|
||||
const startedAt = Date.now();
|
||||
const cfg = loadConfig();
|
||||
const cfg = await readBestEffortConfig();
|
||||
const rich = isRich() && opts.json !== true;
|
||||
const overallTimeoutMs = parseTimeoutMs(opts.timeout, 3000);
|
||||
const wideAreaDomain = resolveWideAreaDiscoveryDomain({
|
||||
|
||||
@@ -4,7 +4,7 @@ import { getChannelPlugin, listChannelPlugins } from "../channels/plugins/index.
|
||||
import type { ChannelAccountSnapshot } from "../channels/plugins/types.js";
|
||||
import { withProgress } from "../cli/progress.js";
|
||||
import type { OpenClawConfig } from "../config/config.js";
|
||||
import { loadConfig } from "../config/config.js";
|
||||
import { loadConfig, readBestEffortConfig } from "../config/config.js";
|
||||
import { loadSessionStore, resolveStorePath } from "../config/sessions.js";
|
||||
import { buildGatewayConnectionDetails, callGateway } from "../gateway/call.js";
|
||||
import { info } from "../globals.js";
|
||||
@@ -526,7 +526,7 @@ export async function healthCommand(
|
||||
opts: { json?: boolean; timeoutMs?: number; verbose?: boolean; config?: OpenClawConfig },
|
||||
runtime: RuntimeEnv,
|
||||
) {
|
||||
const cfg = opts.config ?? loadConfig();
|
||||
const cfg = opts.config ?? (await readBestEffortConfig());
|
||||
// Always query the running gateway; do not open a direct Baileys socket here.
|
||||
const summary = await withProgress(
|
||||
{
|
||||
|
||||
@@ -3,7 +3,11 @@ import { formatCliCommand } from "../cli/command-format.js";
|
||||
import { resolveCommandSecretRefsViaGateway } from "../cli/command-secret-gateway.js";
|
||||
import { getStatusCommandSecretTargetIds } from "../cli/command-secret-targets.js";
|
||||
import { withProgress } from "../cli/progress.js";
|
||||
import { loadConfig, readConfigFileSnapshot, resolveGatewayPort } from "../config/config.js";
|
||||
import {
|
||||
readBestEffortConfig,
|
||||
readConfigFileSnapshot,
|
||||
resolveGatewayPort,
|
||||
} from "../config/config.js";
|
||||
import { readLastGatewayErrorLine } from "../daemon/diagnostics.js";
|
||||
import { resolveNodeService } from "../daemon/node-service.js";
|
||||
import type { GatewayService } from "../daemon/service.js";
|
||||
@@ -39,7 +43,7 @@ export async function statusAllCommand(
|
||||
): Promise<void> {
|
||||
await withProgress({ label: "Scanning status --all…", total: 11 }, async (progress) => {
|
||||
progress.setLabel("Loading config…");
|
||||
const loadedRaw = loadConfig();
|
||||
const loadedRaw = await readBestEffortConfig();
|
||||
const { resolvedConfig: cfg } = await resolveCommandSecretRefsViaGateway({
|
||||
config: loadedRaw,
|
||||
commandName: "status --all",
|
||||
@@ -190,6 +194,7 @@ export async function statusAllCommand(
|
||||
progress.setLabel("Querying gateway…");
|
||||
const health = gatewayReachable
|
||||
? await callGateway({
|
||||
config: cfg,
|
||||
method: "health",
|
||||
timeoutMs: Math.min(8000, opts?.timeoutMs ?? 10_000),
|
||||
...callOverrides,
|
||||
@@ -198,6 +203,7 @@ export async function statusAllCommand(
|
||||
|
||||
const channelsStatus = gatewayReachable
|
||||
? await callGateway({
|
||||
config: cfg,
|
||||
method: "channels.status",
|
||||
params: { probe: false, timeoutMs: opts?.timeoutMs ?? 10_000 },
|
||||
timeoutMs: Math.min(8000, opts?.timeoutMs ?? 10_000),
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
import fs from "node:fs/promises";
|
||||
import path from "node:path";
|
||||
import { resolveAgentWorkspaceDir } from "../agents/agent-scope.js";
|
||||
import type { OpenClawConfig } from "../config/config.js";
|
||||
import { loadConfig } from "../config/config.js";
|
||||
import { loadSessionStore, resolveStorePath } from "../config/sessions.js";
|
||||
import { listAgentsForGateway } from "../gateway/session-utils.js";
|
||||
@@ -16,6 +17,13 @@ export type AgentLocalStatus = {
|
||||
lastActiveAgeMs: number | null;
|
||||
};
|
||||
|
||||
type AgentLocalStatusesResult = {
|
||||
defaultId: string;
|
||||
agents: AgentLocalStatus[];
|
||||
totalSessions: number;
|
||||
bootstrapPendingCount: number;
|
||||
};
|
||||
|
||||
async function fileExists(p: string): Promise<boolean> {
|
||||
try {
|
||||
await fs.access(p);
|
||||
@@ -25,13 +33,9 @@ async function fileExists(p: string): Promise<boolean> {
|
||||
}
|
||||
}
|
||||
|
||||
export async function getAgentLocalStatuses(): Promise<{
|
||||
defaultId: string;
|
||||
agents: AgentLocalStatus[];
|
||||
totalSessions: number;
|
||||
bootstrapPendingCount: number;
|
||||
}> {
|
||||
const cfg = loadConfig();
|
||||
export async function getAgentLocalStatuses(
|
||||
cfg: OpenClawConfig = loadConfig(),
|
||||
): Promise<AgentLocalStatusesResult> {
|
||||
const agentList = listAgentsForGateway(cfg);
|
||||
const now = Date.now();
|
||||
|
||||
|
||||
@@ -153,6 +153,7 @@ export async function statusCommand(
|
||||
method: "health",
|
||||
params: { probe: true },
|
||||
timeoutMs: opts.timeoutMs,
|
||||
config: scan.cfg,
|
||||
}),
|
||||
)
|
||||
: undefined;
|
||||
@@ -162,6 +163,7 @@ export async function statusCommand(
|
||||
method: "last-heartbeat",
|
||||
params: {},
|
||||
timeoutMs: opts.timeoutMs,
|
||||
config: scan.cfg,
|
||||
}).catch(() => null)
|
||||
: null;
|
||||
|
||||
@@ -219,7 +221,7 @@ export async function statusCommand(
|
||||
const warn = (value: string) => (rich ? theme.warn(value) : value);
|
||||
|
||||
if (opts.verbose) {
|
||||
const details = buildGatewayConnectionDetails();
|
||||
const details = buildGatewayConnectionDetails({ config: scan.cfg });
|
||||
runtime.log(info("Gateway connection:"));
|
||||
for (const line of details.message.split("\n")) {
|
||||
runtime.log(` ${line}`);
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
import { describe, expect, it, vi } from "vitest";
|
||||
|
||||
const mocks = vi.hoisted(() => ({
|
||||
loadConfig: vi.fn(),
|
||||
readBestEffortConfig: vi.fn(),
|
||||
resolveCommandSecretRefsViaGateway: vi.fn(),
|
||||
buildChannelsTable: vi.fn(),
|
||||
getUpdateCheckResult: vi.fn(),
|
||||
@@ -17,7 +17,7 @@ vi.mock("../cli/progress.js", () => ({
|
||||
}));
|
||||
|
||||
vi.mock("../config/config.js", () => ({
|
||||
loadConfig: mocks.loadConfig,
|
||||
readBestEffortConfig: mocks.readBestEffortConfig,
|
||||
}));
|
||||
|
||||
vi.mock("../cli/command-secret-gateway.js", () => ({
|
||||
@@ -74,7 +74,7 @@ import { scanStatus } from "./status.scan.js";
|
||||
|
||||
describe("scanStatus", () => {
|
||||
it("passes sourceConfig into buildChannelsTable for summary-mode status output", async () => {
|
||||
mocks.loadConfig.mockReturnValue({
|
||||
mocks.readBestEffortConfig.mockResolvedValue({
|
||||
marker: "source",
|
||||
session: {},
|
||||
plugins: { enabled: false },
|
||||
|
||||
@@ -1,7 +1,8 @@
|
||||
import { resolveCommandSecretRefsViaGateway } from "../cli/command-secret-gateway.js";
|
||||
import { getStatusCommandSecretTargetIds } from "../cli/command-secret-targets.js";
|
||||
import { withProgress } from "../cli/progress.js";
|
||||
import { loadConfig } from "../config/config.js";
|
||||
import type { OpenClawConfig } from "../config/config.js";
|
||||
import { readBestEffortConfig } from "../config/config.js";
|
||||
import { buildGatewayConnectionDetails, callGateway } from "../gateway/call.js";
|
||||
import { normalizeControlUiBasePath } from "../gateway/control-ui-shared.js";
|
||||
import { probeGateway } from "../gateway/probe.js";
|
||||
@@ -59,7 +60,7 @@ function unwrapDeferredResult<T>(result: DeferredResult<T>): T {
|
||||
return result.value;
|
||||
}
|
||||
|
||||
function resolveMemoryPluginStatus(cfg: ReturnType<typeof loadConfig>): MemoryPluginStatus {
|
||||
function resolveMemoryPluginStatus(cfg: OpenClawConfig): MemoryPluginStatus {
|
||||
const pluginsEnabled = cfg.plugins?.enabled !== false;
|
||||
if (!pluginsEnabled) {
|
||||
return { enabled: false, slot: null, reason: "plugins disabled" };
|
||||
@@ -72,10 +73,10 @@ function resolveMemoryPluginStatus(cfg: ReturnType<typeof loadConfig>): MemoryPl
|
||||
}
|
||||
|
||||
async function resolveGatewayProbeSnapshot(params: {
|
||||
cfg: ReturnType<typeof loadConfig>;
|
||||
cfg: OpenClawConfig;
|
||||
opts: { timeoutMs?: number; all?: boolean };
|
||||
}): Promise<GatewayProbeSnapshot> {
|
||||
const gatewayConnection = buildGatewayConnectionDetails();
|
||||
const gatewayConnection = buildGatewayConnectionDetails({ config: params.cfg });
|
||||
const isRemoteMode = params.cfg.gateway?.mode === "remote";
|
||||
const remoteUrlRaw =
|
||||
typeof params.cfg.gateway?.remote?.url === "string" ? params.cfg.gateway.remote.url : "";
|
||||
@@ -107,6 +108,7 @@ async function resolveGatewayProbeSnapshot(params: {
|
||||
}
|
||||
|
||||
async function resolveChannelsStatus(params: {
|
||||
cfg: OpenClawConfig;
|
||||
gatewayReachable: boolean;
|
||||
opts: { timeoutMs?: number; all?: boolean };
|
||||
}) {
|
||||
@@ -114,6 +116,7 @@ async function resolveChannelsStatus(params: {
|
||||
return null;
|
||||
}
|
||||
return await callGateway({
|
||||
config: params.cfg,
|
||||
method: "channels.status",
|
||||
params: {
|
||||
probe: false,
|
||||
@@ -124,8 +127,8 @@ async function resolveChannelsStatus(params: {
|
||||
}
|
||||
|
||||
export type StatusScanResult = {
|
||||
cfg: ReturnType<typeof loadConfig>;
|
||||
sourceConfig: ReturnType<typeof loadConfig>;
|
||||
cfg: OpenClawConfig;
|
||||
sourceConfig: OpenClawConfig;
|
||||
secretDiagnostics: string[];
|
||||
osSummary: ReturnType<typeof resolveOsSummary>;
|
||||
tailscaleMode: string;
|
||||
@@ -152,7 +155,7 @@ export type StatusScanResult = {
|
||||
};
|
||||
|
||||
async function resolveMemoryStatusSnapshot(params: {
|
||||
cfg: ReturnType<typeof loadConfig>;
|
||||
cfg: OpenClawConfig;
|
||||
agentStatus: Awaited<ReturnType<typeof getAgentLocalStatuses>>;
|
||||
memoryPlugin: MemoryPluginStatus;
|
||||
}): Promise<MemoryStatusSnapshot | null> {
|
||||
@@ -180,7 +183,7 @@ async function scanStatusJsonFast(opts: {
|
||||
timeoutMs?: number;
|
||||
all?: boolean;
|
||||
}): Promise<StatusScanResult> {
|
||||
const loadedRaw = loadConfig();
|
||||
const loadedRaw = await readBestEffortConfig();
|
||||
const { resolvedConfig: cfg, diagnostics: secretDiagnostics } =
|
||||
await resolveCommandSecretRefsViaGateway({
|
||||
config: loadedRaw,
|
||||
@@ -196,7 +199,7 @@ async function scanStatusJsonFast(opts: {
|
||||
fetchGit: true,
|
||||
includeRegistry: true,
|
||||
});
|
||||
const agentStatusPromise = getAgentLocalStatuses();
|
||||
const agentStatusPromise = getAgentLocalStatuses(cfg);
|
||||
const summaryPromise = getStatusSummary({ config: cfg, sourceConfig: loadedRaw });
|
||||
|
||||
const tailscaleDnsPromise =
|
||||
@@ -232,7 +235,7 @@ async function scanStatusJsonFast(opts: {
|
||||
const gatewaySelf = gatewayProbe?.presence
|
||||
? pickGatewaySelfPresence(gatewayProbe.presence)
|
||||
: null;
|
||||
const channelsStatusPromise = resolveChannelsStatus({ gatewayReachable, opts });
|
||||
const channelsStatusPromise = resolveChannelsStatus({ cfg, gatewayReachable, opts });
|
||||
const memoryPlugin = resolveMemoryPluginStatus(cfg);
|
||||
const memoryPromise = resolveMemoryStatusSnapshot({ cfg, agentStatus, memoryPlugin });
|
||||
const [channelsStatus, memory] = await Promise.all([channelsStatusPromise, memoryPromise]);
|
||||
@@ -283,7 +286,7 @@ export async function scanStatus(
|
||||
},
|
||||
async (progress) => {
|
||||
progress.setLabel("Loading config…");
|
||||
const loadedRaw = loadConfig();
|
||||
const loadedRaw = await readBestEffortConfig();
|
||||
const { resolvedConfig: cfg, diagnostics: secretDiagnostics } =
|
||||
await resolveCommandSecretRefsViaGateway({
|
||||
config: loadedRaw,
|
||||
@@ -307,7 +310,7 @@ export async function scanStatus(
|
||||
includeRegistry: true,
|
||||
}),
|
||||
);
|
||||
const agentStatusPromise = deferResult(getAgentLocalStatuses());
|
||||
const agentStatusPromise = deferResult(getAgentLocalStatuses(cfg));
|
||||
const summaryPromise = deferResult(
|
||||
getStatusSummary({ config: cfg, sourceConfig: loadedRaw }),
|
||||
);
|
||||
@@ -345,7 +348,7 @@ export async function scanStatus(
|
||||
progress.tick();
|
||||
|
||||
progress.setLabel("Querying channel status…");
|
||||
const channelsStatus = await resolveChannelsStatus({ gatewayReachable, opts });
|
||||
const channelsStatus = await resolveChannelsStatus({ cfg, gatewayReachable, opts });
|
||||
const channelIssues = channelsStatus ? collectChannelStatusIssues(channelsStatus) : [];
|
||||
progress.tick();
|
||||
|
||||
|
||||
Reference in New Issue
Block a user